This post is about making performance enhancements to a WebRTC app so that they can be used in the area which requires sensitive data to be communicated, cannot afford downtime, fast response and low RTT, need to be secure enough to withstand and hacks and attacks.
Best practices for WebRTC single page applications
As a check the communication clients become single page driven , a lot of authetication , heartbeat sync , web workers , signalling event driven flow management resides on the same page along with the actuall CPU consumption for the audio video resources and media streams . This in turns can make the webpage heavy and many a times could result in crash due to being ” unresponsive”.
Here are some my best to-dos for making sure the webrtc communication client page runs efficiently
Visual stability and CLS ( Cummulative Layout Shift)
CLS metrics measures the sum total of all individual layout shift scores for every unexpected layout shift that occurs during the entire lifespan of the page.
To have a good user interactionn experiences, the DOM elements should display as less movement as possible so that page appears stable . In the opposite case for a flickering page ( maybe due to notification DOM dynamically pushing the other layout elements ) it is difficult to precisely interact with the page elements such as buttons .
Minimize main thread work
The main thread is where a browser processes runs all the JavaScript in your page, as well as to perform layout, reflows, and garbage collection. therefore long js processes can block the thread and make the page unresponsive .
Depriciation of XMLHTTP request on main thread
Reduce Javacsipt execution Time
Unoptimized JS code takes longer to execute and impacts network , parse-compileand memory cost.
If your JavaScript holds on to a lot of references, it can potentially consume a lot of memory. Pages appear janky or slow when they consume a lot of memory. Memory leaks can cause your page to freeze up completely.
Some effective tips to spedding up JS execution include
- minifying and compressing code
- Removing the unused code and console.logs
- Apply caching to save lookup time
Caching
-tbd
Security Concerns
In one of my previous posts I have mentioned about Security threats to WebRTC Solution . It includes mainly 4 ways in which WebRTC Solution Providers and Users are vulnerable , which includes
- Identity Management ,
- Browser Security ,
- Authentication and
- Media encryption.
WebRTC Security
WebRTC Security
Identity Management ,
Browser Security ,
Authentication and
Media encryption.
Browser Threat Model
Best practices for the Webrtc comm agents
ICE TURN challenges
DTLS
SRTP
Cookies – Security vs persistsnt state
Cross-site request forgery (CSRF) attacks rely on the fact that cookies are attached to any request to a given origin, no matter who initiates the request.
While adding cookies we must ensure that if SameSite =None , the cookies must be secure
Set-Cookie: widget_session=abc123; SameSite=None; Secure
SameSite to Strict, your cookie will only be sent in a first-party context. In user terms, the cookie will only be sent if the site for the cookie matches the site currently shown in the browser’s URL bar.
Set-Cookie: promo_shown=1; SameSite=Strict
You can test this behavior as of Chrome 76 by enabling chrome://flags/#cookies-without-same-site-must-be-secure and from Firefox 69 in about:config by setting network.cookie.sameSite.noneRequiresSecure.
Performance monitoring
Key Performance Indicators (KPIs) are used to evaluate the performance of a website . It is crticial that a webrtc web page must be light weight to acocmodate the signalling control stack javscript libs to be used for offer answer handling and communicating with the signaller on open sockets or long polling mechnism .
Lighthouse results
Lighthouse tab in chrome developer tools shows relavnat areas of imporevemnt on the webpage from performmace , Accesibility , Best Practices , Search Engine optimization and progressive Web App
Also shsows individual categories and comments
Time to render and Page load
Page attributes under Chrome developers control depicts the page load and redering time for every element includeing scripts and markup. Specifically it has
- Time to Title
- Time to render
- Time to inetract
Networking attributes to be cofigured based on DNS mapping and host provider. These Can be evalutaed based on chrome developer tool reports
Task interaction time
Other page interaction crtiteria includes the frames their inetraction and timings for the same.
In the screenhosta ttcjed see the loading tasks which basically depcits the delay by dom elements under transitions owing to user interaction . This ideally should be minimum to keep the page responsive.
Page’s total memeory
measureMemory()
performance.measureUserAgentSpecificMemory
The above functions ( old and new ) estimates the memory usage of the entire web page
these calls can be used to correlate new JS code with the impact on memery and subsewuntly find if there are any memeory leaks . Can also use these memery metrics to do A/B testing .
DNS lookup Time
Services such as Pingdom (https://tools.pingdom.com/) or WebPageTest can quickly calculate your website’s DNS lookup times
Load / sgtress tresting can be perfomed over tools such as LoadStorm , JMeter
Page weight and PRPL
Loading assests over CDN , minfying sripts and reducing over all weight of the page are good ways to keep the pagae light and active and prevent any chrome tab crashes .
PRPL expands to Push/preload , Render , PreCache , Lazy load
- Render the initial route as soon as possible.
- Pre-cache remaining assets.
- Lazy load other routes and non-critical assets.
Preload is a declarative fetch request that tells the browser to request a resource as soon as possible. Hence should be used for crticial assests .
<link rel="preload" as="script" href="critical.js">
The non critical compoenents could then be loaded on async .
Lazy load must be used for large files like js paylaods which are costly to load. To send a smaller JavaScript payload that contains only the code needed when a user initially loads your application, split the entire bundle and lazy load chunks on demand.
Web Workers
Web Workers are a simple means for web content to run scripts in background threads.The Worker interface spawns real OS-level threads
By acting as a proxy, service workers can fetch assets directly from the cache rather than the server on repeat visits.
Conversion Rates over analytics Tools
Google Analytics is a good way of deducing Converdsation and bounce rates
Codecs weight
Vide codecs Vp8 vs VP9
SFU vs MCU or p2p media flow
References :
Telecom R & D 